+49 228 5552576-0


info@predic8.com

ldapUserDataProvider

Description

A user data provider querying an LDAP server to authorize users and retrieve attributes.

Can be used in

login, oauth2authserver and unifyingUserDataProvider

Syntax

       <ldapUserDataProvider
            url="string"
            base="string"
            [binddn="string"]
            [bindpw="string"]
            searchPattern="string"
            [searchScope="subtree|onelevel|object"]
            [timeout="string"]
            [connectTimeout="string"]
            [passwordAttribute="string"]
            [readAttributesAsSelf="true"] >
            <map>
               <attribute from="string" to="string" />*
            </map>
       </ldapUserDataProvider>
			
Listing 1: ldapUserDataProvider Syntax

Sample

       <ldapUserDataProvider
            url="ldap://192.168.2.100"
            base="dc=predic8,dc=de"
            binddn="cn=Manager,dc=predic8,dc=de"
            bindpw="secret"
            searchPattern="(cn=%LOGIN%)"
            searchScope="subtree"
            timeout="1000"
            connectTimeout="1000"
            readAttributesAsSelf="true" >
            <map>
               <attribute from="telephoneNumber" to="sms" />
               <attribute from="uidNumber" to="header-X-Security-UID" />
            </map>
       </ldapUserDataProvider>
			
Listing 2: ldapUserDataProvider Example

Attributes

Name Required Default Description Example
base true -
binddn false -
bindpw false -
connectTimeout false 1000
passwordAttribute false -
readAttributesAsSelf false true
searchPattern true -
searchScope false subtree
timeout false 1000
url true -

Explanation

The LDAP User Data Provider performs two jobs:

  1. Authentication of a username and password.
  2. Retrieval of user attributes.

To achieve this, it first binds to base on the LDAP server url. If binddn is not present, it binds to the LDAP server anonymously, elsewise binddn and bindpw are used for authentication.

Next, a search searchPattern with scope searchScope is executed where "%LOGIN%" is replaced by the escaped version of the username.

The search returning no node or more than one node is treated as failure.

If passwordAttribute is set, and the node has an attribute with this name and this attribute's value starts with "{x-plain}", the password is checked against the rest of the value for equality. If passwordAttribute is not set, a second binding is attempted on the node using the password the user provided.

The user attribute keys specified in the mapping are then renamed according to the mapping and used for further processing (see the other modules of the login interceptor).

For the initial binding, connectTimeout can be used to specify a timeout in milliseconds. For the search, timeout can be used.

If readAttributesAsSelf is not set, the user attributes are collected from the search result. If it is set, an additional request is made after the second successful binding to retrieve the node's attributes.

Child Elements

Position Cardinality Description Element
1 0..1 map